top of page

Zero-Day Keyloggers: 
One of the most dangerous threats to cyber security

Why 76% of attacks might be evading antivirus


May 20, 2019

Researchers have discovered that zero-day attacks are much more common today than ever before. In fact, experts believe that 76% of successful attacks on an organization's endpoints were zero-day.[1] A zero-day attack is a cyber-attack directed at a computer-software vulnerability that has not yet been documented and resolved. Until the vulnerability is mitigated, hackers can exploit it for financial gain. This spike in zero-day exploits could be due to modern-day malware's ability to change its form and remain undetected for a long time. Researchers believe that 97% of malware now uses polymorphic techniques to change their form once they are catalogued by anti-malware programs. [2] This allows the malware to remain undetected "zero-day" for months and sometimes years before ever being discovered. Furthermore, traditional antivirus solutions rely on signatures, which is only assigned once the zero-day malware is discovered and catalogued. Without a signature, zero-day malware is nearly impossible to detect. 

Keyloggers are often named as one of the most dangerous forms of malware because of their ability to steal everything typed into a computer or mobile device.[3] When keylogging spyware is zero-day and therefore able to evade antivirus for a long period of time, it can result in an enormous payday for cyber criminals. An undetected zero-day keylogger installed on a victim’s device potentially has the opportunity to wait for the most sensitive data to be captured including access credentials, banking and credit card information. For consumers and small merchants, it could mean having their entire identity stolen and their bank funds redirected. For the enterprise, a zero-day keylogger could potentially move laterally throughout the organization until it obtains network access credentials and valuable company assets such as customer data.  This has been the case in many high-profile breaches such as Anthem Health and Target, the hack to the Democratic National Convention and most recently the Euro Cyber-Criminal group, GozNym, which were indicted by the Department of Justice on May 16, 2019 for stealing $100 million in bank account takeovers of various American entities.[4]

Keyloggers are commonly downloaded as a result of clicking on an infected link inside an email, text message, social media or web page. This practice of tricking unsuspecting victims into clicking on links that look legitimate is called “phishing”. According to recent reports, phishing was found in 90% of breaches, and 95% of all phishing attempts that resulted in a breach, were followed by software installation, commonly including keyloggers. [5] 

ACS EndpointLock Keystroke Encryption is a great preventative tool that blocks keylogging spyware on a device, even if it has previously been installed and is able to evade antivirus “zero-day”. Using ACS Keystroke Transport Layer Security (KTLS™) proprietary protocol, keystrokes are encrypted and routed around the vulnerability where keyloggers reside, then decrypted into the text box of your application of browser. Since keylogging and credential theft is most often the first steps in a breach, protecting the keystrokes at the endpoint’s device could help prevent advancement further installation of malware and data loss.








bottom of page